Techniques for authenticating clients of differing capabilities in an efficient manner. Two or more authentication techniques, including one preferred authentication technique, are initiated to run in parallel to authenticate a client. Upon determining that the client can support the preferred authentication technique, the preferred technique is used to authenticate the client and the other authentication techniques are aborted. If it is determined that the client cannot support the preferred authentication technique, then one of the other authentication techniques is used to authenticate the client. In this manner, based upon the capabilities of the client, an appropriate authentication technique is used to authenticate the client in an efficient manner.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: sending, by a network device to a client to be authenticated, a first message corresponding to a preferred authentication technique; sending, by the network device to an authentication server, a second message corresponding to a non-preferred authentication technique such that processing by the client in response to the first message is performed in parallel to processing by the authentication server in response to the second message; determining, by the network device, whether a response from the client to the first message is received by the network device within a predetermined time period; upon determining that a response from the client to the first message is received by the network device within the predetermined time period, causing the client to be authenticated using the preferred authentication technique instead of the non-preferred authentication technique; and upon determining that a response from the client to the first message is not received by the network device within the predetermined time period, causing the client to be authenticated using the non-preferred authentication technique instead of the preferred authentication technique.
A network device authenticates clients by initiating two authentication methods in parallel: a preferred method and a non-preferred method. The device sends a first message related to the preferred method to the client and a second message related to the non-preferred method to an authentication server. If the client responds to the first message within a set time, the device authenticates the client using the preferred method and ignores the non-preferred method. If no response is received from the client within that time, the device uses the non-preferred method for authentication.
2. The method of claim 1 wherein the preferred authentication technique is based upon IEEE 802.1x.
The client authentication method described above uses IEEE 802.1x as the preferred authentication technique. The network device initiates both an 802.1x authentication and a fallback authentication method simultaneously. Client authentication proceeds using 802.1x if the client supports it; otherwise, the fallback method is used. This allows for faster authentication for 802.1x-compatible clients.
3. The method of claim 1 wherein the non-preferred authentication technique uses a medium access control (MAC) address of the client or an Internet Protocol (IP) address of the client.
In the client authentication method, the non-preferred fallback authentication method relies on either the client's MAC address or IP address to authenticate. If the preferred method (e.g., 802.1x) fails or times out, the network device uses the client's MAC or IP address to authenticate the client against an authentication server. This provides a basic authentication mechanism for devices that don't support the preferred protocol.
4. The method of claim 1 wherein sending the first message comprises sending an Extensible Authentication Protocol (EAP) identifier request to the client.
This invention relates to network authentication systems, specifically improving the efficiency and security of authentication protocols between clients and servers. The problem addressed is the need for a more streamlined and secure way to initiate and manage authentication sessions, particularly in environments where multiple authentication methods may be supported. The method involves sending an initial message from a server to a client to begin an authentication process. This message is designed to identify the authentication protocol or method that the server supports, allowing the client to respond appropriately. In one specific implementation, the initial message is an Extensible Authentication Protocol (EAP) identifier request, which prompts the client to provide its identity or authentication credentials. This request helps establish a secure communication channel and ensures that the client and server can proceed with a compatible authentication method. The method may also include additional steps such as receiving a response from the client, validating the response, and completing the authentication process based on the exchanged information. The use of EAP, a widely adopted framework for wireless and wired network authentication, ensures compatibility with various authentication mechanisms, including password-based, certificate-based, and biometric authentication. This approach enhances security by reducing the risk of unauthorized access and improves efficiency by standardizing the authentication initiation process.
5. The method of claim 1 wherein sending the second message comprises sending an authentication request based upon a medium access control (MAC) address of the client to the authentication server.
As part of the parallel authentication process, the network device sends a second message to an authentication server. This message is an authentication request based on the client's MAC address. The authentication server then uses the MAC address for authentication while the device simultaneously waits for a response from the client to the preferred authentication method.
6. The method of claim 1 wherein, upon determining that a response from the client to the first message is received by the network device within the predetermined time period, aborting the non-preferred authentication technique-related processing performed in response to the second message.
If the client responds to the preferred authentication method (first message) within a predetermined time, the network device aborts the non-preferred authentication process that was initiated with the second message to the authentication server. This ensures that resources are not wasted on the non-preferred method when the client supports the preferred method.
7. The method of claim 1 wherein, upon determining that a response from the client to the first message is received by the network device within the predetermined time period, discarding a result received from the authentication server in response to the second message.
If the client authenticates using the preferred method (first message is received in time), the network device discards any result received from the authentication server that relates to the non-preferred authentication technique (second message). This ensures the device only uses the result from the chosen authentication method.
8. The method of claim 1 wherein the authentication server is a Remote Authentication Dial-In User Service (RADIUS) server.
In the described client authentication method, the authentication server used for the non-preferred method is a Remote Authentication Dial-In User Service (RADIUS) server. The network device sends the second message (authentication request based on MAC address, etc.) to this RADIUS server for authentication.
9. A device comprising: a processor; and a memory coupled with the processor and having stored therein a plurality of instructions, which when executed by the processor, cause the device to: send, to a client to be authenticated, a first message corresponding to a preferred authentication technique; send, to an authentication server, a second message corresponding to a non-preferred authentication technique such that processing by the client in response to the first message is performed in parallel to processing by the authentication server in response to the second message; determine whether a response from the client to the first message is received by the device within a predetermined time period; cause the client to be authenticated using the preferred authentication technique instead of the non-preferred authentication technique upon determining that a response from the client to the first message is received by the device within the predetermined time period; and cause the client to be authenticated using the non-preferred authentication technique instead of the preferred authentication technique upon determining that a response from the client to the first message is not received by the device within the predetermined time period.
A network device includes a processor and memory with instructions to authenticate clients using parallel authentication techniques. The device sends a first message for a preferred technique and a second message for a non-preferred technique to an authentication server. If the client responds to the first message in time, it's authenticated using the preferred technique; otherwise, the non-preferred technique is used.
10. The device of claim 9 wherein the preferred authentication technique is based upon IEEE 802.1x.
The network device described above uses IEEE 802.1x as the preferred authentication technique in its parallel authentication process.
11. The device of claim 9 wherein the non-preferred authentication technique uses a medium access control (MAC) address of the client or an Internet Protocol (IP) address of the client.
The network device, as described, uses the client's MAC address or IP address for the non-preferred authentication technique when the preferred authentication method fails or isn't supported.
12. The device of claim 9 wherein the first message comprises an Extensible Authentication Protocol (EAP) identifier request.
The network device sends an Extensible Authentication Protocol (EAP) identifier request as the first message, initiating the preferred authentication method in its parallel authentication approach.
13. The device of claim 9 wherein the second message comprises an authentication request based upon a medium access control (MAC) address of the client.
The network device sends an authentication request based on the client's MAC address as the second message to the authentication server, initiating the non-preferred authentication method.
14. The device of claim 9 wherein the plurality of instructions comprises instructions, which when executed by the processor, cause the device to, upon determining that a response from the client to the first message is received by the device within the predetermined time period, abort the non-preferred authentication technique-related processing performed in response to the second message.
The network device aborts the non-preferred authentication process if the client responds to the preferred authentication method (first message) within the defined timeframe.
15. The device of claim 9 wherein the plurality of instructions comprise instructions, which when executed by the processor, cause the device to, upon determining that a response from the client to the first message is received by the device within the predetermined time period, discard a result received from the authentication server in response to the second message.
The network device discards results from the authentication server related to the non-preferred technique if the client successfully authenticates using the preferred technique.
16. The device of claim 9 wherein the authentication server is a Remote Authentication Dial-In User Service (RADIUS) server.
The network device utilizes a Remote Authentication Dial-In User Service (RADIUS) server as the authentication server for the non-preferred authentication method.
17. A device comprising: a processor; and a memory coupled with the processor, the memory storing a plurality of instructions, which when executed by the processor, cause the device to, in response to a request received by the device from a client to access a resource: initiate a preferred authentication technique by sending a first message to the client to be authenticated; initiate a non-preferred authentication technique by sending a second message to an authentication server such that processing by the client in response to the first message is performed in parallel to processing by the authentication server in response to the second message; determine whether a response from the client to the first message is received by the device within a predetermined time period; use the preferred authentication technique instead of the non-preferred authentication technique to authenticate the client upon determining that a response from the client to the first message is received by the device within the predetermined time period; and use the non-preferred authentication technique instead of the preferred authentication technique to authenticate the client upon determining that a response from the client to the first message is not received by the device within the predetermined time period.
A device, upon receiving a resource access request from a client, initiates parallel authentication. It sends a first message for a preferred technique directly to the client and a second message for a non-preferred technique to an authentication server. The client is authenticated using the preferred technique if a timely response to the first message is received. Otherwise, the non-preferred technique is used.
18. The device of claim 17 wherein: the first message comprises an Extensible Authentication Protocol (EAP) identifier request; and the second message comprises an authentication request based upon a medium access control (MAC) address of the client.
In the parallel authentication process, the first message sent to the client by the network device for the preferred technique is an Extensible Authentication Protocol (EAP) identifier request. Simultaneously, the second message sent to the authentication server for the non-preferred technique is an authentication request based on the client's MAC address.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 23, 2012
August 27, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.